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ABSTRACT 



An electronic system with security functionality that opti- 
mizes performance of the electronic system during crypto- 
graphic operations. In one embodiment, the electronic sys- 
tem includes a chipset having circuitry to perform bulk 
cryptographic operations and a circuitry physically removed 
from the chipset to control and manage operations of the 
chipset. 

31 Claims, 10 Drawing Sheets 
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OPTIMIZED SECURITY FUNCTIONALITY 
IN AN ELECTRONIC SYSTEM 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to the field of cryptography. 
More particularly, the present invention relates to an elec- 
tronic system that includes security functionality to optimize 
performance of the electronic system during cryptographic 
operations. 

2. Description of Art Related to the Invention 

In today's society, it is becoming necessary to protect 
information transmitted from a personal computer ("PC") so 
that the information is clear and unambiguous to an autho- 
rized receiver, but incomprehensible to any unauthorized 
persons. Additionally, it is becoming necessary to protect 
information stored within the PC to prevent unauthorized 
persons from downloading information onto a floppy disk, 
digital tape or other type of content storage device. Protec- 
tion against unauthorized downloading may be accom- 
plished by placing the information in an encrypted format 
prior to storage within the PC, Such encryption may be 
performed by either (i) a processing unit of the PC executing 
cryptographic software, or (ii) a cryptographic device solely 
connected to a system bus of the PC. 

Referring to FIG. 1, the PC 100 designed in accordance 
with a conventional cryptographic implementation scheme 
is shown. The PC 100 includes a host processor 105 coupled 
to a chipset 110. The chipset 110 operates as a communi- 
cative pathway to both main memory 115 and an internal bus 
120, A number of peripheral devices may be coupled to the 
internal bus 120 including a Personal Computer ("PC) card 
125 that is used in this embodiment to provide cryptographic 
functionality to PC 100. Other peripheral devices include a 
parallel port device 126, a modem 127, and a disk controller 
128 being an interface to a storage device such as a hard disk 
drive ("HDD'*) 129. This conventional architectural scheme 
may simplify the implementation of cryptographic function- 
ality into an existing PC platform without an appreciable 
effect on various components already implemented therein; 
however, it adversely impacts performance of PC 100. 

More specifically, a primary disadvantage associated with 
the conventional cryptographic implementation of FIG. 1 is 
that a cryptographic device 130, solely implemented within 
the PC 100 as a peripheral device such as a PC card, would 
adversely affect bandwidth of internal bus 120. The reason 
for the adverse effect is that performance of "bulk crypto- 
graphic operations" would require data to be transferred 
through internal bus 120 a multiple number of times. "Bulk 
cryptographic operations" are defined as operations involv- 
ing (i) cryptography that supports high-volume throughput, 
(ii) hashing and the like. The cryptography utilized by bulk 
cryptographic operations typically involves symmetric key 
cryptography (e.g., encryption or decryption under Data 
Encryption Standard "DES" and other functions), or perhaps 
may involve asymmetric key cryptography. 

For example, in order to store data in an encrypted format 
within a peripheral device such as HDD 129, the data 
residing in main memory 115 and having a non-encrypted 
format would be initially transferred to the peripheral device 
containing cryptographic device 130. Thereafter, crypto- 
graphic device 130 would encrypt the data and either 
transfer the encrypted data to HDD 129 or to main memory 
115 for subsequent transmission to HDD 129. In either 
scenario, the data propagates through internal bus 120 at 
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least two and perhaps three times, in contrast to the normal 
propagation of data directly from main memory 115 to HDD 
129 in those cases when data is being stored in a non- 
encrypted format. 

5 Referring now to FIG. 2, another embodiment of a PC 
200, designed in accordance with a second conventional 
cryptographic implementation scheme, is shown. The PC 
200 includes a host processor 205 coupled to a chipset 210, 
main memory 215 and an internal bus 220 as described 

10 above. Contrary to the conventional cryptographic imple- 
mentation scheme of FIG. 1 in which cryptography is 
performed by the cryptographic device acting as a separate 
peripheral device, cryptographic circuitry is implemented 
into each of the peripheral devices 225 a -225„ ("n" being a 

15 positive whole number) connected to internal bus 220. This 
embodiment would avoid unacceptable bus bandwidth 
latency, but would impose other disadvantages. One disad- 
vantage is that this embodiment increases the costs of each 
peripheral device 225J-225,,. Typically, these additional 

20 costs result from greater component costs due to increased 
circuitry and greater design and manufacturing costs. 
Another disadvantage that may occur is that this embodi- 
ment increases the likelihood of future compatibility prob- 
lems as different cryptographic circuitry enters the market- 

25 place. 

Thus, it would be desirable to develop a system and 
method of operation that overcomes the above-described 
disadvantages. 

30 SUMMARY OF THE INVENTION 

The present invention relates to an electronic system 
having security functionality that optimizes performance of 
the electronic system during cryptographic operations. The 

35 electronic system includes a chipset implemented with dedi- 
cated circuitry to perform bulk cryptographic operations. 
The cryptographic operation of the chipset may be con- 
trolled and managed by circuitry physically removed from 
the chipset, and in secure communications therewith, such as 

40 the host processor or a cryptographic unit. The crypto- 
graphic operation of the chipset may also be controlled and 
managed by circuitry of the chipset. 

BRIEF DESCRIPTION OF THE DRAWINGS 

45 The features and advantages of the present invention will 
become apparent from the following detailed description of 
the present invention in which: 

FIG. 1 is a conventional PC platform providing crypto- 
graphic functionality through a cryptographic device having 

50 a dedicated connection to an internal bus. 

FIG. 2 is a conventional PC platform providing crypto- 
graphic functionality by implementing cryptographic 
devices into peripherals coupled to the internal bus. 

55 FIG. 3 is an embodiment of an electronic system provid- 
ing improved performance during cryptographic operations 
by implementing partitioned secure cryptographic function- 
ality in which bulk cryptographic operations are performed 
by the chipset which are controlled and managed by a 

6Q separate cryptographic unit. 

FIG. 4 is a more-detailed embodiment of the chipset and 
the cryptographic unit. 

FIG. 5 is an illustrative block diagram of the session key 
storage element. 

65 FIG. 6 is another embodiment of an electronic system 
providing improved performance during cryptographic 
operations by implementing partitioned secure crypto- 
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graphic functionality in which bulk cryptographic opera- positive whole number). The bus 330 may be a Peripheral 

tions are performed by the chipset which are controlled and Component Interconnect ("PCI") bus, Industry Standard 

managed by the host processor. Architecture ("ISA") bus or any other type of bus architec- 

FIG. 7 is an illustrative flowchart of the general crypto- f le - 11 » ^fP 1 ,*'" 1 mal bus ^° 15 ^"T f 4 single *i 

graphic operations performed by both the chipset and either 5 (eg, the PQ bus), but it may be multiple buses coupled 

The cryptographic unit or host processor in decrypting infer- *°S et " r °!^ bndgp /? wh,ch <=^^f 

t - uf • j c : device 340 1 -340„ 1 is coupled to at least one of the multiple 

mation obtained from a remote source. buses 

BG. 8 is an illustrative flowchart of cryptographic opera- Jhe cryptographic unit 335 includes circuilry l0 control 

tions performed by both the chipset and either the crypto- and manage bulk cryptographic operations performed by the 

graphic unit or host processor in encrypting information chipsel 315 This fe accomplished lhrough the ^ of 

contained in main memory for storage within the electronic and/Qr keyg tQ eslablish secm communications with 

system, the chipset 315. Additionally, peripheral devices 340 3 -340 OT 

FIG. 9 is yet another embodiment optimizing system may include, but are not limited to, a mass storage device 

performance during cryptographic operations by implement- ^ 34^ ( e . g ., a hard disk drive, a CD ROM player, CD 

ing cryptographic circuitry onto the chipset, recordable player, digital tape drive, a floppy disk drive, a 

FIG. 10 is a more -detailed embodiment of the chipset of digital video disk player, etc.), a transceiver device 340 OT 

FIG. 9. (e.g., a network interface circuit card, a modem card, etc.) 

and the like. 

DESCRIPTOR OF TOE PREFERRED ^ Referring now tQ F]G 4 embodiments of 

EMBODIMEN 1 chipset 315 and cryptographic unit 335 are shown. The 

The present invention relates to an electronic system and chipset 315 includes circuitry 400 that performs bulk cryp- 

method for optimizing system performance during crypto- tographic operations on digital information propagating 

graphic operations. In the following description, some ter- through the electronic system. The circuitry 400 includes a 

minology is used to discuss certain well-known crypto- 2 s cryptographic engine 405 coupled to bus 330 and memory 

graphic functions. For example, an "electronic system" is a bus 325, a session key storage element 410 and a secret key 

system including processing and internal data storage which storage element 420. The cryptographic engine 405 may 

may include, but is not limited to a computer such as laptops possess a unique communication path to main memory via 

or desktops, servers, imaging devices (e.g., printers, fac- memory bus 325 or share this communication path with 

simile machines, scanners, etc.), financial devices (e.g., 30 other circuitry through conventional multiplex hardware. 

ATM machines) and the like. "Information" is defined as one The session key storage element 410 and the secret key 

or more bits of data, address, and/or control. A "message" is storage element 420 are coupled to cryptographic engine 

generally defined as information being transferred during 405 through signal lines 415 and 425, respectively. The 

one or more bus cycles. A "key" is an encoding and/or signal lines 415 and 425 may have the same or different bit 

decoding parameter used by conventional cryptographic 35 widths, ranging from one-bit to r-bits ("r" being a positive 

algorithms such as a Data Encryption Algorithm as specified whole number, r>l). 

in Data Encryption Standard ("DES") and the like. More The cryptographic engine 405 is circuitry (e.g., hardware 

particularly, a "session key" is a temporary key used in or firmware) that performs a bulk cryptographic operation 

connection with symmetric cryptography to provide secure on input data based on a key supplied by either the session 

communications. A "digital signature" is a message typically 40 key storage element 410 or secret key storage element 420, 

used for authentication purposes. The term "secure" indi- or based on a hash function if hashing is performed. The 

cates that it is virtually computationally infeasible for an session key storage element 410 is used to store session keys 

unauthorized individual to access information in a non- that are used when performing bulk cryptographic opera - 

encrypted format or to successfully perpetuate fraud by tions on data input into the cryptographic engine 405. More 

tampering with such information. 45 specifically, these bulk cryptographic operations may use the 

Referring to FIG. 3, an illustrative embodiment of an session key to decrypt data transferred to main memory from 

electronic system 300 employing the present invention is one of the peripheral devices or to encrypt data transferred 

shown. The electronic system 300 comprises a host proces- to one of the peripheral devices for storage or transmission, 

sor 305 and a main memory element 310 (e.g., dynamic Such encryption or decryption may be performed through 

random access memory "DRAM", static random access 50 Data Encryption Algorithm or other symmetric crypto- 

memory "SRAM", etc) coupled together by a chipset 315. graphic functions, while hashing may be performed through 

The chipset 315 operates as an interface between a plurality cryptographic hash functions such as Message Digest 5 

of buses, namely a host bus 320, a memory bus 325 and bus ("MD5") provided by RSA Data Security of Redwood City, 

330. Besides logic used to perform its standard functionality Calif., Secure Hash Algorithm ("SHA-1") specified by the 

of interconnecting multiple buses, which is not discussed in 55 National Institute of Standards and Technology of 

detail to avoid obscuring the present invention, the chipset Washington, D.C., and other established hash functions. 

315 may require modification to include dedicated circuitry Typically, the session key storage element 410 is imple- 

that performs bulk cryptographic operations on messages mented with volatile memory to contain one or more session 

transferred through chipset 315. Such dedicated circuitry is key(s). In one embodiment, the session key storage element 

included within the chipset, regardless of whether it is go 410 may be configured as cache memory that supports one 

physically located within an integrated circuit package of the or more session keys although such caching architecture is 

chipset or outside the chipset's package but coupled to both not required. As generally shown in FIG. 5, one embodiment 

the chipset 315 and bus 330, An illustrative embodiment of of the session key storage element 410 includes multiple 

such circuitry is shown in FIG. 4. storage entries 500^500^ ("x" being a positive whole 

Referring still to FIG. 3, the bus 330 provides a commu- 65 number), accessible by bus lines coupled thereto (not 

nication path between (i) a cryptographic unit 335 and (ii) a shown). Each storage entry 500 1 -500 ;c pertains to one 

plurality of peripheral devices 340 1 -340 m ("m" being a unique key and provides sufficient storage to support at least 
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three fields associated with that key; namely, a session key 
field ("SKF") SOSj-SOS^, a priority/validity field ("PVF") 
51(^-510^ and at least one address information field ("AIF") 
515^51 5^.. The session key field 505 1 -505 ;e is used to 
contain different session keys used when performing bulk 
cryptographic operations. The priority/validity field 
SlOj-510^ is used to identify an "invalid" entry and to 
establish a priority in determining which entries may be 
overwritten when loading new session keys. The address 
information field(s) 515^515^ include information relating 
to the source and destination addresses of a message being 
processed. 

Referring back to FIG. 4, cryptographic unit 335 is used 
to control and manage bulk cryptographic operations per- 
formed by the chipset 315 as well as to support a secure 
communication path and interconnection with the chipset 
315 and possibly other systems. The cryptographic unit 
comprises a bus 600 interconnecting a processing unit 605, 
non-volatile memory element 610, an optional volatile 
memory element 615 (as denoted by dashed lines), and an 
optional random number generator ("RNG") 620 (as 
denoted by dashed lines). The processing unit 605 may 
include, but is not limited to a processor, a micro-controller, 
a state machine logic circuit and the like. The non-volatile 
memory element 610 contains at least a shared secret key, 
which is also imprinted into the secret key storage element 
420 normally during manufacture when the cryptographic 
unit 335 and the chipset are powered up and in communi- 
cation with each other. This imprinting may be performed by 
an original equipment manufacturer ("OEM") of the elec- 
tronic system, suppliers of the chipset and/or cryptographic 
unit, or a specified third party. 

The shared secret key is generated by random number 
generator 620, if implemented, or an externally available 
random number generator. It is contemplated that the shared 
secret key may be produced after manufacture by an OEM 
or a trusted authority (e.g., trade association, governmental 
entity or other "trusted" entity). As discussed, the shared 
secret key may be used by both chipset 315 and crypto- 
graphic unit 335 to encrypt and decrypt information or to 
establish a "session" key used for that purpose. It is further 
contemplated that volatile memory element 615, if 
implemented, may be utilized as temporary storage by the 
processing unit 605. 

Referring to FIG. 6, another embodiment of the electronic 
system providing improved performance during crypto- 
graphic operations is shown. The electronic system is similar 
to that shown in FIG. 3 with the exception that no crypto- 
graphic unit is implemented to control and manage the 
chipset. Rather, it is contemplated that the host processor 
may control and manage the performance of bulk crypto- 
graphic operations by the chipset 315 through a combination 
of software and hardware. 

Referring now to FIG. 7, a flowchart illustrating the 
operations of an electronic system, implemented with par- 
titioned data security functionality, to decrypt a message in 
an encrypted format received by a transceiver of the elec- 
tronic system is shown. Upon receiving an encrypted 
message, a header of the message is transferred to the 
cryptographic unit (Step 705). The header includes a session 
key (hereinafter referred to as a "mail key") encrypted with 
other information. The mail key is extracted from the header 
of the message by decrypting the header with a key con- 
tained in memory of the cryptographic unit (Step 710). The 
key may be a private key associated with the electronic 
system if public/private key cryptography is used to secure 
communications between the electronic system and other 
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networked systems. In the case that the host processor is 
performing the functions of the cryptographic unit in con- 
trolling the bulk cryptographic operations of the chipset, the 
header is processed by the host processor using a key to 

5 which the host processor has access. 

Next, the mail key is securely transmitted to the chipset, 
destined for the session key storage element (Step 715). This 
secure transmission is accomplished by the cryptographic 
unit or host processor producing a control message being the 

1D mail key encrypted under a message key. The "message key" 
is either the shared secret key or a session key established 
through the use of the shared secret key. The control 
message can be transmitted to the chipset, which decrypts 
the control message, using the message key, to recover the 
mail key. Subsequently, the mail key is loaded into the 

15 session key storage element (Steps 720 and 725). Thereafter, 
the contents of the message can be transferred through the 
chipset and decrypted for transmission to main memory. 

Referring to FIG. 8, a flowchart illustrating the operations 
of the electronic system, implemented with partitioned data 

20 security functionality, to encrypt data before storage in a 
peripheral device such as HDD, is shown. First, the oper- 
ating system of the electronic system sends a request to the 
cryptographic unit ( or host processor) requesting prepara- 
tion to transfer contents of main memory to a hard disk 

25 controller (Step 805). The cryptographic unit (or host 
processor) generates a session key for encryption, referred to 
as a "file key", and securely transmits the file key to the 
chipset through the use of the message key (Steps 810 and 
815). The chipset places the file key in the session key 

30 storage element (Step 820). Thereafter, the OS writes the 
data contained in main memory to the hard disk controller 
and the chipset encrypts the data, forming at least a portion 
of the message, with the file key as it propagates there 
through. Thus, the data is stored in an encrypted format on 

35 HDD (Step 825). 

Referring now to FIG. 9, it is contemplated that another 
architectural embodiment of an electronic system 900 
employing the present invention may be used, absent par- 
titioned data security functionality as set forth in FIGS. 3-7. 

40 The electronic system 900 includes a chipset 910 performing 
bulk cryptographic operations and internally controlling 
these operations. Thus, a dedicated cryptographic unit for 
control purposes would not be required. 

Referring to FIG. 10, a more-detailed block diagram 

45 illustrating one embodiment of the chipset 910 is shown. 
Similar to the chipset illustrated in FIG. 4, this chipset 910 
includes (i) a cryptographic engine 915 coupled to both the 
bus and the memory bus through internal buses 920 and 925 
respectively, and (ii) a session key storage element 930 

50 coupled to the cryptographic engine 915 through a dedicated 
bus 935. However, chipset 910 further comprises circuitry of 
controlling and managing the bulk cryptographic operations 
performed by the cryptographic engine 915. This circuitry 
includes a processing unit 940 (e.g., a processor, state 

55 machine, micro-controller, etc.), coupled to both internal bus 
920 and another internal bus 945 coupled to session key 
storage element 930, and memory capable of storing key 
information (e.g., public private key pair or other key 
information), cryptographic software, or any other data. 

so Preferably, the memory includes a non-volatile memory 
element 950 coupled to internal bus 945 and/or volatile 
memory 955. Optionally, as indicated by dashed lines, the 
chipset 910 may include a random number generator 960, 
coupled to internal bus 945, to internally produce key 

65 information. 

In general, chipset 910 differs from chipset 315 of FIGS. 
3-4 in that it is implemented with circuitry and software to 
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control and manage bulk cryptographic operations by the 
chipset 910 in lieu of external control by the cryptographic 
unit of FIGS. 3-4. The advantage of internalizing both the 
circuitry for performing the bulk cryptographic operations 
and the circuitry for controlling and managing these opera- 
tions within the same physical package is that it allows for 
the elimination of additional storage space for a shared 
secret key (e.g., the shared key storage element). The reason 
is that there is lesser need for a cryptographically secure 
communication because the processing unit is not externally 
located from the chipset as in partitioned functionality. For 
illustrative purposes, the operations of the chipset 910 are 
discussed in relation to the receipt of an external message 
(e.g., an electronic mail message). A portion of the external 
message, namely the header, is transferred from the trans- 
ceiver to the host processor. Upon the host processor deter- 
mining that the message is encrypted, it sends the header to 
the chipset 910. The chipset 910 routes the header to the 
processing unit 940, which would decrypt the header using 
key information stored within internal memory of the 
chipset 910, most likely non-volatile memory element 950. 
The key information would likely be a private key of the 
electronic system contained within the chipset 910, although 
the key may be a symmetric key if symmetric key cryptog- 
raphy is used. 

Upon decrypting the header, the processing unit 940 
would extract a mail key from the header and this mail key 
would be transferred from the processing unit 940 to the 
session key storage element 930 through internal bus 945. 
Thereafter, the host processor would arrange the rest of the 
data forming the external message to be transferred through 
the cryptographic engine 915 via internal bus 920. The 
cryptographic engine 915 would decrypt the data of the 
external message using the mail key, provided by the session 
key storage element 930 via internal bus 935, and subse- 
quently route the non-encrypted data to main memory via 
internal bus 925. 

While certain exemplary embodiments have been 
described and shown in the accompanying drawings, it is to 
be understood that such embodiments are merely illustrative 
of and not restrictive on the broad invention, and that this 
invention not be limited to the specific constructions and 
arrangements shown and described, since various other 
modifications may occur to those ordinarily skilled in the art. 

What is claimed is: 

1. A system comprising: 
a bus; 

a cryptographic unit coupled to the bus, the cryptographic 
unit to provide information in an encrypted format; and 

a chipset coupled to the bus, the chipset including dedi- 
cated circuitry to decrypt the information provided by 
the cryptographic unit and to perform a bulk crypto- 
graphic operation on incoming data using at least a 
portion of the information provided by the crypto- 
graphic unit. 

2. The system according to claim 1 further comprising a 
memory element coupled to the chipset. 

3. The system according to claim 1, wherein the crypto- 
graphic unit includes 

an internal bus; 

a processing unit coupled to the internal bus; and 

a non-volatile memory element coupled to the internal 

bus, the non-volatile memory element to contain at 

least a secret key. 

4. The system according to claim 3, wherein the crypto- 
graphic unit further includes a random number generator. 
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5. The system according to claim 3, wherein the dedicated 
circuitry of the chipset includes a cryptographic engine, at 
least one storage element to contain both the secret key and 
a session key used to perform the bulk cryptographic opera- 

5 tion. 

6. The system according to claim 5, wherein the dedicated 
circuitry is placed within an integrated circuit package of the 
chipset. 

7. The system according to claim 1, wherein the dedicated 
10 circuitry includes (i) a cryptographic engine and (ii) a 

storage element to contain a secret key identical to a secret 
key contained in the cryptographic unit. 

8. A system comprising: 

memory means for storing information; 
15 bus means for transferring the information; 

circuit means for performing a bulk cryptographic opera- 
tion on the information, said circuit means being con- 
nected to the memory means and the bus means; and 

cryptographic means for providing key information in an 
encrypted format to said circuit means to enable said 
circuit means to perform the bulk cryptographic 
operation, said cryptographic means being connected to 
the bus means, 
25 9. A system comprising: 

a bus; 

a chipset coupled to the bus, the chipset including dedi- 
cated circuitry to perform a bulk cryptographic opera- 
tion and to contain a secret key; and 

30 a cryptographic unit coupled to the bus, the cryptographic 
unit establishes a cryptographically secure communi- 
cation link with the chipset and provides information to 
the chipset so that the chipset is able to perform the 
bulk cryptographic operation, the cryptographic unit 

35 includes a processing unit and a non-volatile memory 
element to contain at least the secret key. 

10. The system according to claim 9, wherein the cryp- 
tographic unit further includes a random number generator 
which, when activated by the processing unit, generates the 

40 secret key that is subsequently loaded into the non-volatile 
memory element. 

11. The system according to claim 10, wherein the cryp- 
tographic unit and the chipset use the secret key to exchange 
information in an encrypted format to establish a session key 

4 5 used to decrypt the information during the bulk crypto- 
graphic operation. 

12. The system according to claim 9, wherein the non- 
volatile memory element of the cryptographic unit further 
contains a private key associated with the system to support 

50 public-private key cryptography with another system. 

13. The system according to claim 9, wherein the dedi- 
cated circuitry of the chipset includes 

a cryptographic engine coupled to the bus; and 
a first storage element coupled to the cryptographic 
55 engine, the first storage element to contain the secret 
key. 

14. The system according to claim 13, wherein the dedi- 
cated circuitry of the chipset further includes a second 
storage element coupled to the cryptographic engine, the 

60 second storage element to contain at least the session key 
produced by the cryptographic unit for use by the chipset 
during the bulk cryptographic operation. 

15. The system according to claim 14, wherein the second 
storage element operates as cache memory including a 

65 plurality of storage entries, each storage entry to contain a 
session key, addressing information, and priority informa- 
tion pertaining to the session key. 
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16. The system according to claim 13, wherein the cryp- 
tographic engine is performing one of (i) cryptographic 
operations on incoming data into the chipset, and (ii) hash- 
ing operations on the incoming data. 

17. An electronic system comprising: 5 
means for storing data in a non-encrypted format; 
peripheral means for storing the data in a n encrypted 

format; 

chipset means for interconnecting the memory means to 1Q 
the peripheral means and for performing a bulk cryp- 
tographic operation on incoming data transmitted 
through the chipset means by one of the means for 
storing and peripheral means; and 

processor means for establishing a cryptographically 15 
secure communication link with the chipset means and 
for providing information to the chipset means to 
enable the chipset means to perform the bulk crypto- 
graphic operation. 

18. The electronic system according to claim 17, further 2 o 
comprising cryptographic means for establishing secure 
communications to the chipset means and for providing 
information to the chipset means so that the chipset means 

is able to perform the bulk cryptographic operation. 

19. The electronic system according to claim 18, wherein 2 s 
the cryptographic means includes 

processing means for processing data; 
memory means for storing at least a secret key; 
generating means for producing the secret key upon being 

activated by the processing means; and 30 
internal bus means for interconnecting the processing 

means, the memory means and the generating means to 

the chipset means. 

20. The electronic system according to claim 19, wherein 35 
the generating means includes a random number generator. 

21. The electronic system according to claim 19, wherein 
the memory means includes a non-volatile memory element 
to contain the secret key and a private key of the system to 
support public-private key cryptography. 4Q 

22. The electronic system according to claim 19, wherein 
the chipset means includes 

a bus coupled to said cryptographic means and said 

peripheral means; 
a cryptographic engine coupled to the bus; and 45 
a first storage element coupled to the cryptographic 

engine, the first storage element to contain at least a 

secret key. 

23. The electronic system according to claim 22, wherein 
the chipset means further includes a second storage element 50 
coupled to the cryptographic engine, the second storage 
element capable of containing at least one session key 
produced by the cryptographic means for use by the chipset 
means during the bulk cryptographic operation. 

24. The electronic system according to claim 17, wherein 55 
the chipset means includes 

a bus coupled to said cryptographic means and said 

peripheral means; 
a cryptographic engine coupled to the bus; and 6Q 
a first storage element coupled to the cryptographic 

engine, the first storage element to contain at least a 

secret key identical to a key contained in the processor 

means. 

25. An electronic system comprising: 65 
a memory element; 

a bus; 
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at least one peripheral device coupled to the bus, the at 
least one peripheral device including a transceiver to 
transmit information and to receive information; 

a cryptographic unit coupled to the bus, the cryptographic 
unit to output control information in an encrypted 
format; and 

a chipset coupled to the bus and the memory element, the 
chipset including dedicated circuitry to decrypt the 
control information and to perform a bulk crypto- 
graphic operation on the information using at least a 
portion of the control information. 

26. The electronic system according to claim 25, wherein 
the chipset includes 

a cryptographic engine coupled to the bus; and 
a first storage element coupled to the cryptographic 
engine, the first storage element to contain at least a 
secret key also imprinted in the cryptographic unit. 

27. A method of decrypting data stored in an encrypted 
format within an electronic system, possessing partitioned 
cryptographic functionality, including a chipset having dedi- 
cated circuitry to perform a bulk cryptographic operation 
and circuitry to control the chipset, comprising the steps of: 

transferring a header of a message to the circuitry, the 

header including a session key; 
decrypting the header within the circuitry to obtain the 

session key; 

encrypting the session key with a shared secret key, 
loaded in both the chipset and the circuitry, to produce 
a control message; 

transferring the control message from the circuitry to the 
chipset; 

decrypting the control message within the chipset using 
the shared secret key previously loaded in the chipset; 
and 

storing the session key within the chipset for use in 
performing the bulk cryptographic operation. 

28. A method of encrypting data before storage in a mass 
storage device of an electronic system, possessing parti- 
tioned cryptographic functionality, including a chipset hav- 
ing dedicated circuitry to perform a bulk cryptographic 
operation and circuitry to control the chipset, comprising the 
steps of: 

transferring a request to the circuitry requesting prepara- 
tion for transfer of data contained in main memory to 
the mass storage device; 

generating a session key internally within the circuitry; 

encrypting the session key with a shared secret key 
previously loaded in both the chipset and the circuitry 
to produce a control message; 

transferring the control message to the chipset; 

decrypting the control message with the shared secret key 
loaded in the chipset; 

storing the session key within the chipset; and 

encrypting data transferred from the main memory to the 
mass storage device as the data propagates through the 
chipset. 

29. A system comprising: 
a bus; 

a host processor coupled to the bus, the host processor to 
output information in an encrypted format; and 

a chipset coupled to the bus, the chipset including dedi- 
cated circuitry to decrypt the information provided by 
the host processor and to perform a bulk cryptographic 
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operation on incoming data using the information pro- 
vided to the host processor. 
30. The system according to claim 29, wherein the host 
processor includes circuitry implemented for controlling the 
chipset in performing the bulk cryptographic operation. 
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31. The system according to claim 29, wherein the host 
processor is executing software to control the chipset in 
performing the bulk cryptographic operation. 
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